Tobias, Thank you! Indeed your suggested workaround to delete the dots in section names fixed the issue.
From: Tobias Brunner<mailto:[email protected]> Sent: Thursday, November 30, 2017 8:49 AM To: bls s<mailto:[email protected]>; Noel Kuntze<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: Re: [strongSwan] swanctl.conf EAP credential information Hi, The problem are the dots in the section names of your EAP secrets. For instance: [email protected] { id = [email protected] secret=secret1 } When enumerating the id... keys in these sections the current section name was written to a string buffer instead of using the parameter evaluation provided by settings_t. All dots in strings are interpreted as section separators so the dot there caused a lookup of the section: eap-user1@mydomain { com { ... } } But since that doesn't exist no id... key was found in this section and the secrets were not associated with any identities: > Wed, 2017-11-29 10:59 07[CFG] vici client 1 requests: load-shared > Wed, 2017-11-29 10:59 07[CFG] loaded EAP shared key with id > '[email protected]' for: '%any' This basically caused the first of these secrets to get used for all clients. I pushed a fix to the swanctl-enumerate-kv branch (for connections and their subsections dots still can't be used, though). As a workaround don't use any dots in these section names. Regards, Tobias
